SECURITY CENTER
Your data is safe with Joan
Visionect d.o.o., the company behind Joan, holds ISO/IEC 27001:2022 certification.
All customer data is hosted in EU-based data centers on Google Cloud Platform and encrypted end-to-end. Here is everything you need to know.
Security built into every layer
ISO/IEC 27001:2022 certified
Independently audited ISMS. Annual surveillance reviews. The gold standard for enterprise information security.
All customer data stays in the EU
Data hosted in Belgium on Google Cloud. Encrypted in transit (TLS 1.3) and at rest. No data leaves the European Union.
Enterprise-grade access control
Single Sign-On via OAuth2, Google, and Microsoft 365. SCIMv2-compatible identity providers for centralized user provisioning and deprovisioning. Role-based access control (RBAC) lets administrators manage permissions per role.
Data storage transparency
Joan devices hold calendar data in memory only. No data is written to disk, and all event details are cleared on reboot.
Customers who enable Room Booking in MyJoan store a defined set of calendar data in Joan’s secure, EU-based infrastructure: meeting organizer and attendee names and email addresses, and meeting title and description. Data storage is strictly limited to accounts where Room Booking is actively enabled.
Customers who disable the feature may request complete deletion of all associated calendar data at any time.
Security at every level
Controls that apply to Visionect d.o.o., the company behind Joan.
Least-privilege access
Team members access only the data required for their role. Access is reviewed periodically.
Employee security training
All staff complete security awareness training at onboarding and receive ongoing education.
Mandatory code review
All code changes undergo peer review before production deployment. Automated testing is integrated into the CI/CD pipeline.
Vulnerability management
Regular vulnerability assessments, prioritized by risk severity and aligned with ISO 27001.
Incident response
Documented plan covering detection, containment, recovery, and post-incident review. Customers notified per GDPR obligations.
Security controls built into Joan e-paper hardware (Joan 6 Pro, Joan 6 RE, and other Joan devices).
Purpose-built secure OS
Devices run a secure real-time OS. Hardware keys prevent unauthorized software. No general-purpose OS, no app store, no third-party attack surface.
No data stored on device
Calendar data is accessed only when needed and cached temporarily in memory. It is never permanently stored on the device.
Enterprise wireless security
Joan 6 Pro supports WPA2-EAP for enterprise wireless network authentication.
Remote deauthorization
Lost or stolen devices can be deauthorized remotely from the Joan portal. No confidential data is stored on the device.
Security controls for the Joan cloud platform and all customer data processing.
Google Cloud Platform
Joan runs on GCP — ISO 27001, SOC 2, and SOC 3 certified infrastructure with redundant power, networking, and physical security.
EU data residency
All customer data stored in EU-based data centers (Belgium). Full EU data sovereignty.
Encryption in transit
All communication between Joan devices and servers uses TLS 1.3.
Encryption at rest
Data at rest is encrypted using industry-standard protocols within Google Cloud Platform.
Business continuity
Multi-availability-zone architecture. Business continuity and disaster recovery plans maintained and tested.
SSO, RBAC, and SCIM
SSO via OAuth2, Google, and Microsoft 365. SCIMv2 provisioning. Role-based access control for team permissions.
How Joan collects, processes, and protects personal data under GDPR.
Data minimization
Only data strictly necessary to deliver the service is collected. Joan does not sell or share personal data for advertising.
Full GDPR compliance
All processing is lawful and transparent. Full support for data subject rights: access, rectification, erasure, portability, and restriction.
Data retention and deletion
Data retained only as long as needed to provide the service. On account termination, data is removed per retention policy and legal requirements.
GDPR-compliant subprocessors
All subprocessors, including those outside the EU, conform to GDPR standards. Subprocessor list available on request.
Documents and resources
The following documents are available to support your security and compliance review.
| Document | Availability | How to access |
|---|---|---|
| ISO/IEC 27001:2022 Certificate Company-wide ISMS — independently audited, annual surveillance reviews | Available | View on website ↗ |
| Data Processing Agreement (DPA) Outlines Joan’s obligations as data processor under GDPR | On request | Request via Legal page ↗ |
| Privacy & Cookie Policy Data collection practices, cookie usage, and data subject rights | Available | View on website ↗ |
| Terms of Service Contractual terms governing use of the Joan platform and hardware | Available | View on website ↗ |
| Subprocessor List All third-party processors used by Joan — GDPR-compliant, including non-EU | On request | [email protected] |
| Penetration Test Summary Executive summary of independent security assessment results | Under NDA | [email protected] |
Documents marked “On request” are available to verified enterprise customers and prospects. Contact [email protected] to initiate a security review or request documentation.
Frequently Asked Questions
Where is Joan data stored?
All Joan customer data is stored in EU-based data centers located in Belgium, hosted on Google Cloud Platform. Data never leaves the European Union.
Is Joan GDPR compliant?
Yes. Joan is fully GDPR compliant. All data processing is lawful and transparent. Customers can request data access, rectification, erasure, or portability at any time. A Data Processing Agreement (DPA) is available upon request.
Is Joan ISO27001 certified?
Yes. Visionect d.o.o., the company behind Joan, holds ISO/IEC 27001:2022 certification for its company-wide Information Security Management System. The certificate is independently audited with annual surveillance reviews.
How is data encrypted?
All communication between Joan devices and servers is encrypted using TLS 1.3. Data at rest is encrypted using industry-standard protocols within Google Cloud Platform.
What happens to my data if I cancel?
Upon account termination or a deletion request, customer data is removed in accordance with our data retention policy and applicable legal requirements. Contact [email protected] for details.
Does Joan store data on the physical devices?
No. Calendar data is accessed only when required and cached temporarily in memory. It is never permanently stored on the device. Lost or stolen devices can be deauthorized remotely from the Joan portal.
Can I get a copy of your penetration test results?
A penetration test summary is available under NDA. Contact [email protected] to request access.
Do you use multi-factor authentication (MFA) for remote access to cloud services and email?
It is mandatory for all employees to use MFA (2FA) for remote access to key company systems. This is enforced through our hardened service account policies.
Do your employees undergo regular security awareness training, including phishing and secure practices?
Yes, all our employees undergo mandatory and regular security awareness training. This training begins during onboarding and is conducted periodically to ensure staff remain updated on evolving security risks.
Do you have a data classification policy in place that includes protection, labelling and handling?
Yes, we have a data classification policy that includes protection, labeling, and handling. Our policy defines data into three levels: Public, Internal, and Confidential. This classification guides the required protection measures, handling procedures, and access restrictions for all information assets.
What is the standard retention period for the stored data?
The standard retention period for the Joan data is 12 months. Storing the data is necessary for Joan analytical features.
Do you have DLP (Data Loss Protection) in place across all channels including email and web?
We have implemented a multi-layered approach to data loss prevention through a combination of technical and procedural controls. Our data leakage prevention measures are based on our risk assessment and include data encryption during transmission and storage, strict access controls, and network security measures like firewalls and secure VPNs.
Do you use firewalls and network security solutions to protect your networks?
Yes, we implement multiple network security controls to protect our networks. Our security solutions include logical network separation, network access control, strong authentication, and strong encryption for data in transit (TLS 1.3).
Is access to information systems restricted based on roles, responsibilities, and the principle of least privilege?
Yes, access to our information systems is strictly restricted based on roles, responsibilities, and the principle of least privilege. Our access control policy ensures that users are granted only the minimum access rights necessary to perform their job duties. Privileged access is strictly controlled, limited to essential personnel, and reviewed regularly.
Do you have established processes to enable compliance with data protection and privacy legislation?
We have established comprehensive processes to ensure compliance with data protection and privacy legislation, including GDPR. We continuously monitor legal and regulatory requirements and conduct regular risk assessments and both internal and external audits to maintain compliance. All our software and systems are designed and operated in adherence to applicable data processing regulations. Our commitment is further demonstrated through our ISO 27001 certification and by having a dedicated legal team monitor contractual obligations.
Do you have business continuity and disaster recovery plans that are tested regularly?
Yes, we have a formal Business Continuity Management (BCM) system to ensure uninterrupted business operations. We have established rigorous backup and restoration procedures, and these restoration processes are regularly tested to ensure swift recovery. Our business continuity plans are reviewed and tested regularly to confirm their suitability and effectiveness, with all testing recorded in test reports.
Do you regularly scan systems, infrastructure and endpoints for vulnerabilities?
Yes, we regularly scan our systems, infrastructure, and endpoints for vulnerabilities. Our vulnerability management process includes proactive monitoring of industry trends and threat intelligence, as well as periodic vulnerability scanning of our entire system, which is performed at least annually or more frequently if necessary. This approach allows us to identify and remediate potential weaknesses. We also maintain a formal patch management policy to ensure that all company-operated systems, software, and employee devices are kept up-to-date with the latest security patches.
Does your organisation have a risk management process to identify, assess, monitor, and respond to cybersecurity risks?
Yes, we have a formal risk management process aligned with ISO 27001 standards as part of our Information Security Management System (ISMS). Risks that exceed our defined acceptance threshold are addressed through appropriate treatment measures, such as implementing new controls, formal acceptance, or transferring the risk.
Does your organisation evaluate the performance of your information security program through internal audits?
Yes, we evaluate the performance of our information security program through regular internal and external audits. Our Information Security Management System (ISMS) is subject to regular audits, including certification audits against the ISO 27001 standard. Internal audits are conducted at least annually, or when significant changes occur, to evaluate the effectiveness and compliance of our internal processes, systems, and controls. The results of these audits ensure our security policies and procedures remain relevant and effective and drive continuous improvement of our security program.
Does your organisation have an information security policy that is reviewed at least annually and approved by management?
Yes, we maintain an established Information Security Policy which is the cornerstone of our Information Security Management System (ISMS). To ensure its continued relevance and effectiveness, the policy is reviewed regularly.
Are user access rights reviewed periodically and is there a process for revoking access when employees leave?
Yes, confidential and personal data are encrypted both in transit and at rest. We utilize strong encryption mechanisms to protect sensitive data during transmission and while stored. For data in transit, all our critical services and communications, including remote access, use strong encryption like TLS 1.3 and encrypted HTTPS connections. For data at rest, we enforce encryption on all company-owned mobile devices and laptops, and sensitive data is stored on secure, access-controlled cloud platforms rather than locally on devices.
Have you been certified by ISO 27001, SOC type 1, SOC type 2, Data Privacy, PCI DSS or similar security standards?
Yes, our Information Security Management System (ISMS) is certified against the ISO 27001 standard. Our ISMS is subject to regular internal and external audits, including annual certification audits conducted by an accredited certification body. While we do not hold SOC or PCI-DSS certifications, our security practices are designed to align with industry best practices and comply with relevant regulations such as GDPR.
Does your organisation conduct penetration testing on information systems?
Yes, we conduct penetration testing on our information systems. To provide independent assurance, we engage an external partner annually to perform security and vulnerability assessments, which include penetration testing and vulnerability scanning, on our production code and systems. This testing typically occurs on pre-production or production environments and serves as a critical security validation step. Findings from these external assessments are reviewed, prioritized, and used to drive remediation efforts and improvements in our development practices.
Do you maintain an inventory of all information assets and are they assigned to owners?
Yes, we maintain a comprehensive inventory of our information assets, which includes hardware, software, documentation, and cloud infrastructure. Each asset is assigned an owner who is responsible for its management and security throughout its lifecycle. This process is a fundamental component of our Information Security Management System (ISMS).
Is antivirus/EDR software installed on all endpoint devices?
Yes, all company-owned endpoint devices, including laptops and workstations, are equipped with antivirus software.
Does your organisation perform background checks on employees and contractors before granting access to data?
Yes, our organization performs background verification checks on all candidates, including employees and contractors, before granting them access to data. These checks are conducted prior to joining and are proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. Our screening process includes candidate verification activities such as education verification, past employment history, and references, all carried out in accordance with applicable laws and internal procedures.
Has your organisation experienced a data loss or security breach within the last 3 years?
We have not experienced any data loss or security breaches. Our Business Continuity Management documentation confirms that we have had no data breach or data integrity incidents. We maintain a comprehensive incident management system to prevent and respond appropriately to any violations or potential violations of confidentiality, integrity, and availability.